Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
From: Qinglang Miao
Date: Wed Nov 25 2020 - 20:28:02 EST
在 2020/11/26 1:06, Benjamin Block 写道:
On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote:
kfree(port) is called in put_device(&port->dev) so that following
use would cause use-after-free bug.
The former put_device is redundant for device_unregister contains
put_device already. So just remove it to fix this.
Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage")
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Signed-off-by: Qinglang Miao <miaoqinglang@xxxxxxxxxx>
---
drivers/s390/scsi/zfcp_unit.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c
index e67bf7388..664b77853 100644
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
scsi_device_put(sdev);
}
- put_device(&unit->dev);
-
device_unregister(&unit->dev);
>> return 0;
Same as in the other mail for `zfcp_sysfs_port_remove_store()`. We
explicitly get a new ref in `_zfcp_unit_find()`, so we also need to put
that away again.
Sorry, Benjamin, I don't think so, because device_unregister calls
put_device inside.
It seem's that another put_device before or after device_unregister is
useless and even might cause an use-after-free.